Security warning: State-backed hackers are trying to steal coronavirus research

Joint warning from UK National Cyber Security Centre and US Department of Homeland Security warns that cyberattackers are actively targeting healthcare with a variety of hacking tricks.
Written by Danny Palmer, Senior Writer

State-backed hacking groups are targeting healthcare and other organisations involved in national and international responses to the coronavirus pandemic, the UK's National Cyber Security Centre (NCSC) and the US Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have warned.

Advanced Persistent Threat (APT) groups – sophisticated hacking groups generally linked to a nation-state – are looking to get hold of information about national COVID-19 responses, healthcare research or other sensitive data related to coronavirus, and are targeting organisations in sectors including healthcare, pharmaceuticals, academia, medical research and local government, says the joint advisory.

Cyberattacks against these targets – particularly those relating to coronavirus research – are useful for state-backed operations because they could potentially provide an avenue for aiding their own domestic research into coronavirus-related medicine.

SEE: Coronavirus: Business and technology in a pandemic

One area that's particularly being targeted as an entry point for attacks, the security agencies have warned, is international supply chains.

"Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets," the advisory warns. "Many elements of the supply chains will also have been affected by the shift to remote working and the new vulnerabilities that have resulted."

A previous joint warning from the NCSC and DHS warned how cyberattackers are scanning for vulnerable VPNs in order to launch attacks against remote workers, and this appears to have continued.

Unpatched software is a particularly appealing target for these attacks and the advisory notes that Citrix vulnerability CVE-2019-197811 is something that hacking groups associated with nation-states have looked to take advantage of.

APT groups targeting healthcare and other essential services are also attempting to use large-scale "password-spraying" campaigns, deploying brute force attacks using common passwords against healthcare providers in the UK, US and other countries. These attacks are being investigated by both NCSC and CISA.

"APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic," says the advisory.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

UK Foreign Secretary Dominic Raab has condemned "unacceptable" cyberattacks by hostile groups targeting healthcare and the coronavirus research response.

"The effects of these cyberattacks are potentially life-threatening as they disrupt and put pressure on organisations and individuals working hard to save lives," he said.

"The UK will continue to counter those who conduct reckless cyberattacks for their own malicious ends. We are working closely with our allies to hold the perpetrators to account and deter further malicious cyber activity around the world," Raab added.

To help protect accounts from password-spraying attacks, the NCSC recommends the use of a strong – and importantly, unique – password.

And to mitigate more advanced attacks, the joint advisory recommends that VPNs, network infrastructure and devices being used in remote-work environments are updated with the latest security updates, so that attackers can't exploit known vulnerabilities as a means of entry.

Organisations are also advised to set up multi-factor authentication as an additional layer of defence, so if an account or network is compromised, the attack can't do as much damage.


Editorial standards